03-05-2003 10:50 PM - edited 02-21-2020 12:23 PM
Hi.
Is there anybody You knows how to create an IPSEC tunnel between a PIX firewall and a Symantec 200R firewall.
I know how to configure the PIX, but can't figure out the Symantec 200R firewall!
It's working fine PIX-to-PIX!
The Symantec is configure like this:
--- IPSec Secur--- IPSec Security Assiciation ---
Phase 1 Negotiation: Main mode
Encryption and Authentification Method: ESP DES SHA1
SA Lifetime: 86400 minutes
Data volume limit: 0
Inactivity Timeout: 0
Perfect forward security: Disabled
--- Local Security Gateway ---
ID Type: IP Address
Phase 1 ID: 192.168.0.1
--- Remote Security Gateway ---
Gateway address: (outside ip address of PIX Firewall)
ID Type: IP Address
Phase 1 ID: (outside ip address of PIX Firewall)
Pre shared key: ****
--- For Gateway-to-gateway tunnels --
NetBIOS Broadcast: Disabled
Global tunnel: Disabled
Remote Subnet 1 IP 10.0.0.0 255.255.0.0
The PIX Firewall is configured like this:
access-list outside_cryptomap permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.255.0
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap
crypto map outside_map 10 set peer (outside ip address of Symantec 200R firewall)
crypto map outside_map 10 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address (outside ip address of Symantec) netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
From the log of the Symantec:
[03/04/2003 08:56:17.61] (name of PIX) - Initiating IKE Main Mode
[03/04/2003 08:56:17.61] (name of PIX) - STATE_MAIN_I1: initiate
[03/04/2003 08:56:27.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #3
[03/04/2003 08:56:47.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #3
[03/04/2003 08:57:27.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #3
[03/04/2003 08:57:27.61] (name of PIX) - !!!: max number of retransmissions (2) reached STATE_MAIN_I1
[03/04/2003 08:57:27.61] (name of PIX) - !!!: starting keying attempt 2d of at most 3d
[03/04/2003 08:57:27.61] (name of PIX) - Initiating IKE Main Mode
[03/04/2003 08:57:27.61] (name of PIX) - STATE_MAIN_I1: initiate
[03/04/2003 08:57:37.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #4
[03/04/2003 08:57:57.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #4
[03/04/2003 08:58:37.61] (name of PIX) - !!!: handling event EVENT_RETRANSMIT for (ip address of PIX) "(name of PIX)" #4
[03/04/2003 08:58:37.61] (name of PIX) - !!!: max number of retransmissions (2) reached STATE_MAIN_I1
[03/04/2003 08:58:37.61] (name of PIX) - !!!: starting keying attempt 3d of at most 3d
etc.
Regards,
Torben Grisell
03-07-2003 07:25 PM
Hi torben
pls do check if symantec is using g1 or g2 for phase I ? also in my experience , we can get more detailed info if we capture the pix logs in this scenario ,since symantec seems to be the initiator. what logs do you see in the pix when the symantec initiates the ipsec tunnell ? PIX will complain if the policies do not match, then you can change the policies to match for both phase I and phase II
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide